Closed AndrewBelt closed 3 years ago
modlfo
commented
3 years ago I will try the approach I used at some point which was unloading it (with ffi = nil) and also unloading the function to reload it require = nill. I believe there's no other way of bring it back.
AndrewBelt
commented
3 years ago Okay, I suspected that could be done but wanted to be sure!
modlfo
commented
3 years ago If it's not possible. I can add a runtime flag to make possible instantiating both versions (ffi and non-ffi). The regular Lua scripts would use non-ffi engine while the Vult (generated Lua) would use the ffi and take advantage of the speed.
The Vult code would be safe to run if I remove in the embedded compiler the possibility of declaring external functions. That way the Vult code can only use the safe builtin functions and the ones the user declares.
AndrewBelt
commented
3 years ago I haven't heard from you in a few days so I'm going to release it as-is, but I really need you to make this change ASAP in the next version.
modlfo
commented
3 years ago The initial idea works fine. It also disables loading any other library apart from the preloaded ones. I pushed the fix in 33fed251303917f3a9bdc250df6af97f6246731c
AndrewBelt
commented
3 years ago Looks like it works great. Removed other functions like load().
FFI may be used to break from the security sandbox. Please remove this, or prove that it cannot be used to break from the sandbox.